b"   Federal Election Commission\n\n    Office of Inspector General\n\n\n\n\n             Final Report\n\nReview of Outstanding Recommendations\n            as of June 2014\n\n              July 2014\n\n\n      Assignment No. OIG-14-07\n\x0c                        Office of Inspector General\xe2\x80\x99s\n                           Review of Outstanding\n                      Recommendations as of June 2014\n\nThe Office of Inspector General (OIG) semiannually provides to the Commission the status of\noutstanding recommendations. Since the December 2013 report was issued, we added the Audit\nof the Federal Election Commission\xe2\x80\x99s Office of Human Resources report (which was released in\nJuly 2013) to the audit follow-up process because the recommendations have been outstanding\nfor more than six months. For this reporting period, we reviewed five audits and inspections that\nhad a total of 102 recommendations outstanding. The OIG was able to collectively close fifteen\n(15) recommendations from three of the five audits and inspections. Three of the fifteen\nrecommendations that were closed this period were closed due to management\xe2\x80\x99s decision to\naccept the risk of not implementing corrective actions for outstanding recommendations in the\nAudit of the Commission Property Management Controls report, see details on page 4.\n\n\n                     Noteworthy Accomplishments\n   \xe2\x80\xa2   The Office of Human Resources closed nine (9) of 26 audit recommendations from the\n       Audit of the Federal Election Commission\xe2\x80\x99s Office of Human Resources within the first\n       six month follow-up period.\n\n\n                                   OIG Concerns\n   \xe2\x80\xa2   FEC needs to improve the accountability of management officials necessary to ensure\n       compliance with all aspects of Directive 50: Audit Follow-up.\n\n   \xe2\x80\xa2   FEC\xe2\x80\x99s IT inventory records are consistently inaccurate to include the recently purchased\n       iPhones for FEC staff.\n\n   \xe2\x80\xa2   OIG is concerned with the lack of progress in addressing the outstanding\n       recommendations for the Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity\n       of Operations Plan report. Thirty recommendations were contained in the report, issued\n       January 2013. Over eighteen months have passed and all thirty recommendations remain\n       open. The lack of attention to these recommendations may put the agency at risk in the\n       event of a local disaster.\n\x0cTable Summary of Results\n    The table below summarizes the progress made by FEC management during the past six\n    months and the outstanding recommendations as of June 2014.\n\n\n\n\n                                                                                            1\n        Title & Report Date              Total Outstanding            Total Closed           Total Open\n               of OIG                    Recommendations              and Verified             as of\n         Audits/Inspection                as of December                by OIG               June 2014\n                                                2013\n    Audit of the Commission\xe2\x80\x99s\n    Property Management                            7                         5                    2\n    Controls (3/2010)                                                        2\n\n    2010 Follow-up Audit of\n    Privacy and Data Protection                    30                        1                   29\n    (3/2011)\n    2010 Follow-up Audit of\n    Procurement and Contract                       9                         0                    9\n    Management (6/2011)\n    Inspection of the FEC\xe2\x80\x99s\n    Disaster Recovery Plan and\n    Continuity of Operations                       30                        0                   30\n    Plans (1/2013)\n    Audit of the FEC\xe2\x80\x99s Office of                   26                        9                   17\n    Human Resources (7/2013)\n                                                                                                 87\n                      Total Outstanding Recommendations\n\n\n\n\n1\n  \xe2\x80\x9cTotal Open as of June 2014\xe2\x80\x9d column includes recommendations that management has disagreed with or has not\nadequately implemented, and the OIG concludes that these recommendations are still \xe2\x80\x98open\xe2\x80\x99.\n2\n  Three (3) of the five (5) recommendations were closed based on management\xe2\x80\x99s decision to accept the risk of not\nimplementing corrective action.\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014                   2|P a g e\n\x0cAudit Follow-up Meetings/Communications\n\nClosed Audits\nThe Office of Inspector General did not close any audits for this review period.\n\nOpen Audits\n    A. Audit of the Commission\xe2\x80\x99s Property Management Controls\n\n        The Office of Inspector General (OIG) issued a memorandum to the Chief Information\n        Officer (CIO) on February 10, 2014 (See Appendix A). The memorandum expressed the\n        OIG\xe2\x80\x99s concern regarding the lack of progress in implementing the remaining seven open\n        recommendations for the Audit of the FEC\xe2\x80\x99s Property Management Controls. The OIG\xe2\x80\x99s\n        memo identified the potential risks to the agency and requested a written statement from\n        the CIO accepting the risk of the outstanding recommendations in order for the OIG to\n        officially close the recommendations.\n\n        In a memorandum dated March 4, 2014 (See Appendix B), the CIO provided a response\n        to the OIG regarding the open recommendations. The OIG reviewed the responses and\n        determined that:\n\n            \xe2\x80\xa2   Three recommendations (1h, 3, 3e) will be closed based on management\n                accepting the risk of not implementing corrective action to adequately address the\n                recommendations\n                    o Recommendation 1h: Document the ITD re-authorization process of PCD\n                       [personal communication device] users in ITD\xe2\x80\x99s Policy 58-4.4\n                    o Recommendation 3: ITD should implement a form and process such as\n                       NIST Sample Sanitization Validation form, to record sanitization (wiping)\n                       of devices, disposal and/or destruction, as appropriate\n                    o Recommendation 3e: Segregate the following program functions among\n                       three or more ITD staff: purchasing/ordering and recording assets;\n                       authorization for purchases, including devices received free under upgrade\n                       promotion; receipt. storage, and distributing of assets; and destruction or\n                       disposal of surplus PCDs;\n\n            \xe2\x80\xa2   Two recommendations (1k & 2g) will be closed due to recent changes (January\n                2014) to the agency\xe2\x80\x99s policy to include details on personal use using the new\n                iPhone devices and the required training provided to FEC staff when issued a\n                device\n                   o Recommendation Ik: Provide the policies and procedures for the use of\n                       Blackberry devices to all users when issuing the Blackberry\n\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014     3|P a g e\n\x0c                        o Recommendation 2g: Management should educate Blackberry users of all\n                          features that incur additional cost to the agency, such as: roaming charges\n                          that result when employees place calls outside the AT&T service areas;\n                          texting; directory assistance; unauthorized software, and voice use over\n                          the pooled plan limits; and\n\n               \xe2\x80\xa2    Two recommendations (2a &2f) required follow-up review as the CIO noted that\n                    corrective action had been taken and no further actions were necessary, and\n                    requested that the recommendations be closed\n                        o Recommendation 2a: All unassigned Blackberry devices should be\n                            suspended or service should be terminated if the device can not be\n                            immediately transferred to another user (no active spares kept in ITD).\n                        o Recommendation 2f: Blackberry user information should be kept up to\n                            date and adjusted in a timely manner on the ITD master Blackberry listing\n                            and the AT&T Premier website for employee separations and new\n                            assignment of devices.\n\n           The OIG conducted our follow-up review on recommendations 2a & 2f and found that\n           both recommendations were not adequately implemented. To review the detailed results\n           of the follow-up review for recommendations 2a & 2f, please see the Audit of the FEC\xe2\x80\x99s\n           Property Management Controls Testing Results section of this report of page 9.\n\n       B. 2010 Follow-up Audit of Privacy and Data Protection\n\n           For the 2010 Follow-up Audit of Privacy and Data Protection, the OIG\xe2\x80\x99s December 2013\n           report identified 30 open recommendations. At the start of this review period, the OIG\n           contacted the Co-Chief Privacy Officers to identify if any corrective actions had been\n           implemented to address the thirty (30) outstanding recommendations. The OIG received\n           confirmation from the Co-Chief Privacy Officers that no progress had been made.\n\n           In May 2014, an updated CAP was submitted to the Commissioners noting that one\n           recommendation, 6g, had been implemented. Recommendation 6g requires management\n           to \xe2\x80\x9cImplement an alternative to assigning a generic laptop encryption passphrase to\n           contractors so that every contractor has a unique self selected passphrase\xe2\x80\x9d. In order to\n           verify implementation of this recommendation, the OIG inquired with seven (7) 3 FEC\n           contractors that they have a self selected passphrase for logging on to their FEC issued\n           laptops. Six (6) of the seven contractors verified that they created their own passphrase.\n           For the one contractor, hired in 2014, the OIG verified that the contractor was using an\n           FEC issued laptop for official FEC business, but their laptop was not encrypted, which\n           would not require them to input a passphrase for accessing the FEC\xe2\x80\x99s laptop. Based on\n           the six contractors with encryption, the OIG closed recommendation 6g.\n3\n    Three of the seven contractors work for the OIG on the FEC\xe2\x80\x99s annual financial statement audit.\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014                  4|P a g e\n\x0c        However, FEC\xe2\x80\x99s policy is that all laptops issued to FEC employees and contractors are\n        to be encrypted, which is also an outstanding recommendation\n        (6a: \xe2\x80\x9c\xe2\x80\xa6require all mobile devices to be encrypted\xe2\x80\x9d) for this            All laptops issued to\n                                                                                contractors have not\n        audit. Since the release of this audit report in 2010, management\n                                                                                been encrypted and\n        has failed to provide the documentation necessary to evidence\n                                                                                appropriate\n        that ITD has the capabilities to verify that every laptop issued to\n                                                                                documentation on\n        an FEC employee or contractor has been encrypted. During the\n                                                                                encryption of FEC\n        OIG\xe2\x80\x99s follow-up review in December 2011, the Deputy CIO of\n                                                                                laptops has yet to be\n        Operations sent an email stating that all laptops are encrypted\n                                                                                provided.\n        and considered the email to be sufficient evidence to close the\n        recommendation. The OIG does not consider a statement\n        contained in an email adequate evidence or evidence of appropriate controls and\n        documentation being in place. In addition, management\xe2\x80\x99s CAPs sent to the Commission\n        since December 2011, to include the most recent CAP in May 2014, identified\n        recommendation 6a as closed. Based on this follow-up review regarding the one\n        contractor recently hired without an encrypted laptop and ITD\xe2\x80\x99s inability to provide\n        sufficient evidence since 2010 that all laptops are encrypted illustrates that FEC is not\n        following their policy and that recommendation 6a will remain open.\n\n    C. 2010 Follow-up of Procurement and Contract Management\n\n        The December 2013 Review of Outstanding Recommendations report noted eight (8) of\n        17 audit recommendations from the 2010 Follow-up Audit of Procurement and Contract\n        Management had been closed during that reporting period. Per discussion with the Office\n        of the Chief Financial Officer (OCFO) in May 2014, no additional progress has been\n        made related to the remaining 9 outstanding audit recommendations. OIG notes that since\n        the last follow-up work performed, the procurement office lost one full time employee\n        (FTE) and has a new Procurement Officer. The OIG did not perform any follow-up work\n        during the reporting period ending June 30, 2014.\n\n    D. Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of Operations Plans\n\n        The Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of Operations Plans\n        (COOP Inspection) was released in January 2013. The OIG contacted the Deputy Chief\n        Information Officer (CIO) of Operations to provide a status of the open\n        recommendations. The Deputy CIO notified the OIG that there has been no change to the\n        status of the thirty (30) outstanding recommendations.\n\n        The OIG reviewed management\xe2\x80\x99s May 2014 corrective action plan submitted to the\n        Commission for the COOP Inspection and management stated that \xe2\x80\x9cDue dates have been\n        revised to coincide with the COOP plan update this year.\xe2\x80\x9d However, based on\n        outstanding recommendations related to the COOP from the FEC\xe2\x80\x99s annual financial\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014        5|P a g e\n\x0c        statement audit, management currently does not have a project plan 4 in place to address\n        the COOP findings and their updated due date of October 2014 for implementing\n        corrective actions for the CAP is not reasonable and should be updated once a plan has\n        been developed.\n\n        The OIG is concerned with the lack of progress and commitment by the Information\n        Technology Division to address the numerous problems found during the COOP\n        Inspection. In FY 2008, the agency procured contractors to develop the agency\xe2\x80\x99s COOPs\n        and DRP. The OIG is aware that ITD is planning to procure contract services for a\n        second time because ITD did not follow through with conducting proper testing and\n        monitoring of the plans when they were completed by the contractors in FY 2010.\n\n        The agency spent $277,506 from 2008 to 2010 on ITD\xe2\x80\x99s COOP project which was\n        never fully implemented. The agency is again spending funds to procure almost\n        identical contract services while procuring more computer hardware to replace the\n        previous Netbooks that were used for contingency planning.\n        Although ITD is spending money towards developing the agency\xe2\x80\x99s         FEC is at risk for\n                                                                               spending contract\n        COOP, ITD does not have a project plan in place to ensure key\n                                                                               money on COOP\n        tasks and milestones to implement corrective actions for findings\n                                                                               for the 2nd time\n        identified in the COOP Inspection will be achieved. In addition,\n                                                                               and not\n        without a project plan in place, management cannot properly\n                                                                               completing the\n        manage the time, resources, and project cost to fully execute the\n                                                                               project objective.\n        COOP project. The OIG strongly believes without a proper COOP\n        project plan, the agency is at risk for spending money on an IT\n        project that will fail to achieve the project objective as in FY 2010.\n\n        Currently, the FEC is not in compliance with a required Presidential Directive: Homeland\n        Security Presidential Directive (HSPD-20), section 19(d) 5. In the event of a localized\n        emergency or disaster to the FEC building (i.e. fire,\n                                                                         FEC would be\n        flooding, etc.) the agency does not have an adequate plan in\n                                                                         challenged in\n        place or the necessary tools to ensure the agency can\n                                                                         administering and\n        continue to carry out its mission.                               enforcing FECA in\n                                                                                  the event of a local\n                                                                                  disaster.\n\n\n\n4\n  Project Plan: a documented plan used to guide both project execution and project control; documents how and\nwhen a project's objectives are to be achieved by showing the major deliverables, milestones, activities\nand resources required on the project.\n5\n  \xe2\x80\x9cHeads of executive departments and agencies shall execute their respective department or agency COOP plans\nin response to a localized emergency and shall: (d) \xe2\x80\x9cPlan, conduct and support annual tests and training\xe2\x80\xa6\xe2\x80\x9d\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014                6|P a g e\n\x0c    E. Audit of the FEC\xe2\x80\x99s Office of Human Resources\n\n        The Audit of the Federal Election Commission\xe2\x80\x99s Office of Human Resources (OHR)\n        report was issued in July 2013. The OHR audit report identified 26 audit\n        recommendations to improve OHR operations. In March 2014, the OIG followed-up with\n        the Acting Director of Human Resources to discuss corrective actions taken to address\n        the recommendations. Then, the OIG reviewed the updated OHR CAP and requested\n        supporting documentation required to close certain recommendations. Based on the\n        OIG\xe2\x80\x99s review of documentation to support corrective actions by OHR, the OIG closed\n        nine (9) of the 26 outstanding recommendations.\n\n         In June 2014, the OIG followed up with one of the OHR follow-up officials (OHR\n        Supervisor) to determine if any additional progress has been made on OHR\xe2\x80\x99s outstanding\n        audit recommendations. OIG was informed that due to the OHR work load, staff\n        shortage, and the hiring of the new Director of OHR, no additional progress has been\n        made since March 2014. Therefore, no additional follow-up work was performed by\n        OIG. As of June 30, 2014 the OHR audit has 17 open audit recommendations.\n\n\n\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014   7|P a g e\n\x0cAudit of the FEC\xe2\x80\x99s Property Management Controls Testing\nResults\nThe Chief Information Officer\xe2\x80\x99s (CIO) March 4, 2014 memorandum states that management\nnow has direct access to the AT&T system to ensure changes to inventory records are accurate\nand made in a timely manner. Based on the OIG\xe2\x80\x99s review results, the inventory list for the new\niPhones is not accurate and the AT&T system is still not properly managed to        FEC IT inventory\nreflect an accurate record of assigned iPhones, even with the new direct access     records are\npermitted to management. The lack of adequate internal controls found during        consistently\nthe OIG\xe2\x80\x99s 2010 audit for the Blackberry devices still exists as a result of the     incomplete and/or\nOIG\xe2\x80\x99s recent review of iPhone records. The risk of fraud is heightened as the       contain inaccurate\nagency has moved to the new iPhone devices that have a greater market value         data.\nthan the prior Blackberry devices. It is concerning that the inventory list for\niPhones is not accurate as this is a relatively new acquisition. The OIG has expressed concerns\nover the lack of appropriate inventory control in ITD for many years.\n\nDetailed Testing Results\n\nTo verify corrective action for recommendations 2a & 2f from the Audit of the Commission\xe2\x80\x99s\nProperty Management Controls, the OIG reviewed ITD\xe2\x80\x99s master inventory list provided on April\n24, 2014 by the Deputy CIO of Operations and FEC\xe2\x80\x99s AT&T Wireless phone bill for billing\ncycles February 28 \xe2\x80\x93 March 27, 2014 & March 28, 2014 \xe2\x80\x93 April 27, 2015. The OIG reviewed\nthe documentation for accuracy of phone assignments between the master inventory list and the\nAT&T bill information to ensure corrective action has been adequately implemented to support\nthe CIO\xe2\x80\x99s response that \xe2\x80\x9cSpares are\xe2\x80\xa6accounted for, properly tracked and managed\xe2\x80\xa6PCDs\nrecord keeping has never been in any risk of fraud\xe2\x80\xa6any risk attached to the audit finding has\nbeen mitigated\xe2\x80\xa6\xe2\x80\x9d\n\n    \xe2\x80\xa2   iPhone #XXX-3281 is assigned as a phone in storage on the inventory list; however, the\n        AT&T bill has the device listed as assigned to an Enforcement Division attorney.\n\n\n    \xe2\x80\xa2   iPhone #XXX-4874 is assigned to an Administrative Law Division attorney on the\n        inventory list; however, the AT&T bill has the device listed as assigned to an\n        Enforcement Division attorney.\n            o According to the inventory list and the AT&T bill, the Enforcement Division\n               attorney is assigned two iPhones (#XXX-2790 and #XXX-4874).\n\n    \xe2\x80\xa2   iPhone #XXX-0439 is assigned as a iPhone in storage on the inventory list; however, the\n        AT&T bill shows the iPhone assigned to an Executive Assistant in a Commission Office.\n\n\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014      8|P a g e\n\x0c      \xe2\x80\xa2    iPhone #XXX-4659 is assigned to a Program Support Officer on the inventory list;\n           however, the AT&T bill shows the iPhone assigned to an Enforcement Division\n           attorney.\n\n\n      \xe2\x80\xa2    iPhone #XXX-8324 is assigned twice to a Reports Analysis Division employee and an\n           Office of Administrative Review employee on the inventory list; however, the AT&T bill\n           shows the iPhone assigned to the Office of Administrative Review employee.\n              o iPhone #XXX-6690 is assigned to the Reports Analysis Division employee on the\n                  AT&T bill; this iPhone is not listed on the inventory list.\n\n\n      \xe2\x80\xa2    iPhone #XXX-2318 is assigned to a Litigation Division attorney on the inventory list;\n           however, the AT&T bill has the device assigned to a Policy Division attorney 6.\n\n      \xe2\x80\xa2    iPhone #XXX-0890 is assigned as the \xe2\x80\x9cFederal Election Commission\xe2\x80\x9d and not an\n           individual employee on the AT&T bill; however, the inventory list shows the iPhone\n           assigned to a Special Counsel attorney in the Commission Office.\n\n      \xe2\x80\xa2    iPhone #XXX-6447 is assigned to a former 7 Executive Assistant in a Commission Office\n           on the AT&T bill; however, the inventory list does not have this iPhone listed.\n\n\n\n\n6              th\n    As of June 8 , 2014 employee is on temporary assignment as an Executive Assistant in a Commission Office.\n7\n    Employee separated from the FEC on March 22, 2014.\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014                    9|P a g e\n\x0cOIG Concerns\nFEC needs to improve the accountability of management officials necessary to ensure\ncompliance with all aspects of Directive 50: Audit Follow-up. It is essential that the\nCommission not only requires management to report on semi-annual basis the status of\noutstanding recommendations, but also develops a process to ensure the Audit Follow-up\nOfficials are being held accountable for implementing outstanding recommendations in a timely\nmanner that are beneficial to the agency\xe2\x80\x99s\xe2\x80\x99 mission and will improve agency programs. The\nOffice of Management and Budget (OMB) Circular No. A-50 states:\n\n         \xe2\x80\x9cAgency heads are responsible for (2) Assuring that management officials throughout\n        the agency understand the value of the audit process and are responsive to audit\n        recommendations.\n\nWithout accountability necessary to ensure corrective actions are taken by management, the\nmission of the agency is consistently operating under weaker controls that can increase cost,\nexpose the agency to risks, and increase the potential of fraud waste, and abuse to agency\nprograms.\n\nIn addition, the OIG is concerned with the lack of progress in addressing the outstanding\nrecommendations for the Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of\nOperations Plan. The original 30 recommendations have been outstanding since the release date\nof the report, January 2013.\n\nReport Review\n This report provides the Commission and management the results of the Office of Inspector\n General\xe2\x80\x99s (OIG) review of outstanding OIG recommendations as of June 2014.\n\n As required by the Inspector General Act of 1978, as amended, the Office of Inspector\n General (OIG) is responsible for conducting audits of the Federal Election\n Commission\xe2\x80\x99s (FEC) programs and operations. In addition to conducting and\n supervising audits, the OIG also has the responsibility to conduct audit follow-ups to\n ensure that management has effectively implemented OIG recommendations. Audit\n follow-up, to include the timely implementation of audit recommendations by FEC\n management, is required by Office of Management and Budget Circular A-50, Audit\n Follow- up, as revised, and FEC Directive 50: Audit Follow-up.\n\n In order to work effectively with FEC management in adhering to FEC Directive 50,\n and to ensure continuous monitoring and adequate and timely audit resolution, the\n OIG communicates with management at least semiannually to discuss the status of\n outstanding OIG recommendations. If management has implemented any corrective\n actions, the OIG schedules a meeting with management to discuss the implementation\n of the corrective action(s), and the OIG then reviews evidence of the corrective action\n (i.e. new/updated policies, procedures, and processes to improve internal controls).\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014    10 | P a g e\n\x0c Based on management\xe2\x80\x99s availability, the OIG strives to schedule these meetings to provide\n management with the results of our review prior to management\xe2\x80\x99s reporting deadlines to\n the Commission in May and November. These meetings can provide management with\n timely OIG feedback for their semiannual reports to the Commission and enables the OIG\n to keep abreast of management\xe2\x80\x99s progress. The semiannual meetings are also intended to\n assist the audit follow-up official in following provisions 4 through 6 of Directive 50,\n which are listed as follows:\n\n         \xe2\x80\x9c(4) Respond in a timely manner to all audit reports;\n          (5) Engage in a good faith effort to resolve all disagreements; and\n          (6) Produce semi-annual reports that are submitted to the agency head.\xe2\x80\x9d\n\n FEC management is required by FEC Directive 50 to provide semiannual status reports\n (May and November) to the Commission of their progress concerning outstanding OIG\n recommendations. The official status (open/closed) of OIG recommendations is\n determined by the OIG once the OIG has verified that management has adequately\n implemented the corrective actions. The Inspector General can also make a decision to\n close recommendations or seek resolution from the Commission for recommendations\n where the OIG and management disagree. Lastly, the number of outstanding\n recommendations is reported to the Commission and Congress in the OIG\xe2\x80\x99s Semiannual\n Reports to Congress.\n\nBackground\n At the conclusion of each OIG audit and inspection, it is management\xe2\x80\x99s responsibility to\n develop a corrective action plan (CAP). The CAP identifies the plan management has\n developed to address the OIG\xe2\x80\x99s findings and recommendations. The CAP should detail the\n following:\n\n     1. assignment of Audit Follow-up Official (AFO), who is responsible for\n        overseeing the corrective action;\n     2. OIG finding(s);\n     3. OIG recommendation(s);\n     4. detailed corrective action to implement the OIG\xe2\x80\x99s recommendation(s);\n     5. FEC staff person with responsibility to implement each task; and\n     6. expected completion dates.\n\n Once management drafts the CAP, the OIG then reviews their CAP and provides comments to\n management regarding the sufficiency of their planned corrective actions to address the OIG\xe2\x80\x99s\n findings.\n\n Management reviews the OIG\xe2\x80\x99s comments, finalizes the CAP, and then provides the final\n CAP to the Commission with a courtesy copy to the OIG.\n\n\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014   11 | P a g e\n\x0c FEC Directive 50 requires management to:\n\n\xe2\x80\x9c(3) Conduct regular meetings with the Inspector General throughout the year to follow-up on\noutstanding findings and recommendations, and include reports of these meetings in the written\ncorrective action plan and semi-annual reports required to be presented to the Commission\xe2\x80\xa6;\xe2\x80\x9d\n\n\n\n\nOffice of Inspector General\xe2\x80\x99s Review of Outstanding Recommendations as of June 2014   12 | P a g e\n\x0c                                                                             APPENDIX A\n\n\n\n                  FEDERAL ELECTION COMMISSION\n                  WASHINGTON, D.C. 20463\n                  Office of Inspector General\n\n\n\n\nMEMORANDUM\n\nTO:           Alec Palmer\n              Staff Director/Chief Information Officer\n\nFROM:         Lynne A. McFarland\n              Inspector General\n\nSUBJECT:      Risk Acceptance Statement: December 2013 Review of Outstanding\n              Recommendations Report\n\nDATE:         February 10, 2014\n\nThe Office of Inspector General (OIG) is finalizing the December 2013 Review of\nOutstanding Recommendations Report to be released February 2014. As you know, the\nOIG\xe2\x80\x99s outstanding recommendations report details the results of the OIG\xe2\x80\x99s follow-up\nreviews for audit and inspections that have outstanding recommendations for six months\nor more.\n\nAs of December 2013, the Audit of the FEC\xe2\x80\x99s Property Management Controls has several\nrecommendations that have been outstanding for over three years. The OIG has reported\non our concern with the lack of progress from ITD management since June 2012, and our\nsoon to be released report on outstanding recommendations reiterates the OIG\xe2\x80\x99s concern.\nThe audit follow-up official has stated during OIG follow-up reviews that no further\ncorrective actions will be implemented to address the remaining recommendations and\nmanagement considers the recommendations closed. Therefore, the OIG\xe2\x80\x99s December\n2013 Review of Outstanding Recommendations Report is requesting a written statement\nfrom the Staff Director accepting the risk of the outstanding recommendations in order\nfor the OIG to officially close the open recommendations. A list of the outstanding\nrecommendations, and the risks associated with not implementing the recommendations,\nis attached with this memo and will also be included in the final report.\n\nIn addition, the OIG is aware that ITD is in the process of replacing the Blackberry\ndevices with iPhones. The OIG would like to note that the outstanding recommendations\nare applicable to the iPhone and any other cellular phone device the agency may procure.\nBased on the OIG\xe2\x80\x99s knowledge of the agency\xe2\x80\x99s lack of controls in this area, the OIG\nbelieves the roll-out of the new iPhone devices would be the opportune time for\nmanagement to implement the remaining outstanding recommendations to improve the\nagency\xe2\x80\x99s controls.\n\x0cThe OIG is requesting a written statement from the Staff Director by March 3, 2014 in\nresponse to accepting the risk of the outstanding recommendations for the Audit of the\nProperty Management Controls in order for the OIG to properly plan for the next audit\nfollow-up review period. If you decide to implement one or more of the outstanding\nrecommendations, based on the risks outlined in this memorandum, please let me know\nby March 3, 2014 so that I can schedule a review of the corrective action(s) at a future\ndate.\n\nThank you.\n\nAttachment\n\n\n\n\n                                            2\n\x0cManagement\xe2\x80\x99s Acceptance of Risk for the Audit of the FEC\xe2\x80\x99s Property Management\nControls Outstanding Recommendations\n\nThe Office of Inspector General is requesting a written statement from the Staff Director\nin regards to the remaining open recommendations from the Audit of the FEC\xe2\x80\x99s Property\nManagement Controls that are listed below. In order to close these recommendations and\nconclude the follow-up process, the Staff Director should state that management will\naccept the risk of not implementing the outstanding recommendations. Below are the\noutstanding recommendations and their associated risks.\n\n   1. Recommendation 1h: Document the ITD re-authorization process of PCD\n      [personal communication device/Blackberry] users in ITD's Policy 58-4.4\n          \xef\x82\xb7 Risk: Waste of agency funding.\n                 \xef\x82\xa7 The re-authorization of PCD users is an internal control to help\n                   ensure that staff provided a Blackberry continue to have a need for\n                   the device. Staffs\xe2\x80\x99 job responsibilities change over time, and their\n                   need for a Blackberry can change. Therefore, it is important to\n                   periodically review the staff assigned a Blackberry to make sure\n                   the expenditure of funds for the Blackberry service is still required.\n                   As ITD is the office with oversight of the Blackberry devices,\n                   ITD\xe2\x80\x99s refusal to periodically re-authorize the users means ITD may\n                   be unaware if the agency is wasting funds on FEC personnel or\n                   contractors who no longer have a business need for an FEC issued\n                   Blackberry.\n\n   2. Recommendation 1k: Provide the policies and procedures for the use of\n      Blackberry devices to all users when issuing the Blackberry.\n         \xef\x82\xb7 Risk: Abuse of government property.\n                \xef\x82\xa7 Blackberry devices issued to authorized users have the potential to\n                    be misused (excessive personal use, downloading of unauthorized\n                    applications, viewing prohibited information on a government\n                    issued device, etc.) if users are not aware of polices and procedures\n                    for using an FEC issued Blackberry.\n\n   3. Recommendation 2a: All unassigned Blackberry devices should be suspended or\n      service should be terminated if the device can not be immediately transferred to\n      another user (no active spares kept in ITD). At the time of our inspection, ITD\n      retained a minimum of 10 inactive spare devices (many of the spares were left\n      active incurring monthly charges) and a spare Subscriber Identity Module (SIM)\n      card (portable memory chip). If required, a device could be activated within 24\n      hours.\n          \xef\x82\xb7 Risk: Fraud and no internal control.\n                 \xef\x82\xa7 In a prior audit follow-up, management stated that they have\n                     decreased the number of spare devices on hand to three. Although\n                     the OIG agrees that three spare devices is more reasonable than the\n                     previous 10 spares, the OIG reviewed devices listed as unassigned\n                     (spare) on the agency\xe2\x80\x99s AT&T monthly bill and they showed\n                     activity (in use) and were listed as assigned to FEC personnel on\n                                           3\n\x0c                   the inventory list. As a result, ITD is not maintaining accurate\n                   records of the unassigned Blackberry devices. Because these\n                   devices are not properly tracked, management runs the risk of\n                   potential fraud (stolen devices, unauthorized activity) because ITD\n                   does not maintain proper records of spare devices.\n\n4. Recommendation 2f: Blackberry user information should be kept up to date and\n   adjusted in a timely manner on the ITD master Blackberry listing and the AT&T\n   Premier website for employee separations and new assignment of devices.\n       \xef\x82\xb7 Risk: Fraud and no internal control.\n               \xef\x82\xa7 Because these devices are not properly tracked, management runs\n                   the risk of potential fraud (stolen devices) because ITD does not\n                   maintain proper inventory records, and it\xe2\x80\x99s likely these devices\n                   would not be detected as missing.\n\n5. Recommendation 2g: Management should educate Blackberry users of all features\n   that incur additional cost to the agency, such as: roaming charges that result when\n   employees place calls outside AT&T service areas; texting; directory assistance;\n   unauthorized software, and voice use over the pooled plan limits.\n       \xef\x82\xb7 Risk: Waste of agency funding and abuse of government property.\n               \xef\x82\xa7 The agency is at risk of wasting funds on unauthorized device\n                   features that cost additional money beyond the agency\xe2\x80\x99s plan.\n                   There is also potential for abuse by users in using their agency\n                   issued devices for excessive personal use. Both instances have\n                   been identified by the OIG and reported to management during the\n                   initial audit and in prior follow-up reviews.\n\n6. Recommendation 3: ITD should implement a form and process such as the NIST\n   Sample Sanitization Validation form, to record sanitization (wiping) of devices,\n   disposal and/or destruction, as appropriate.\n       \xef\x82\xb7 Risk: Data breaches and fraud.\n              \xef\x82\xa7 Old devices that are no longer in use run the risk of containing\n                  sensitive information from emails/attachments if management has\n                  no record that the device has been properly sanitized prior to\n                  transferring the device as surplus to the General Services\n                  Administration. In addition, if the device is to be destroyed and\n                  there is no record of the destruction, there is a risk that the device\n                  can be removed from the agency and used for personal use or\n                  prohibited activity (selling an agency issued device).\n\n\n\n\n                                          4\n\x0c7. Recommendation 3e: Segregate the following program functions among three or\n   more ITD staff: Purchasing/ordering and recording assets; Authorization for\n   purchases, including devices received free under upgrade promotion; Receipt,\n   storage, and distributing of assets; and Destruction or disposal of surplus PCDs.\n       \xef\x82\xb7 Risk: Waste of agency funds and fraud.\n          \xef\x82\xa7 Having one person to oversee all purchasing, recording, and storage\n              responsibilities for Blackberry devices presents the risk of a) wasting\n              agency funds on additional devices that are purchased for prohibited\n              activity; b) abuse of agency devices being used as personal use; and c)\n              creating fraudulent documentation and records to prevent the detection\n              of prohibited activity of agency issued devices.\n\n\n\n\n                                        5\n\x0cAPPENDIX B\n\x0c\x0c\x0c\x0c\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c"